A powerful, easily deployable network traffic analysis tool suite
Docker installation instructions vary slightly by distribution. Please follow the links below to docker.com to find the instructions specific to your distribution:
After installing Docker, because Malcolm should be run as a non-root user, add your user to the docker
group with something like:
$ sudo usermod -aG docker yourusername
Following this, either reboot or log out, then log back in.
Docker starts automatically on DEB-based distributions. On RPM-based distributions, users must start Docker manually or enable it using the appropriate systemctl
or service
command(s).
You can test Docker by running docker info
, or (assuming you have internet access), docker run --rm hello-world
.
Please follow this link on docker.com for instructions on installing the Docker Compose plugin.
The host system (i.e., the one running Docker) must be configured for the best possible OpenSearch performance. Here are a few suggestions for Linux hosts (these may vary from distribution to distribution):
/etc/sysctl.conf
:# the maximum number of open file handles
fs.file-max=2097152
# increase maximums for inotify watches
fs.inotify.max_user_watches=131072
fs.inotify.max_queued_events=131072
fs.inotify.max_user_instances=512
# the maximum number of memory map areas a process may have
vm.max_map_count=262144
# decrease "swappiness" (swapping out runtime memory vs. dropping pages)
vm.swappiness=1
# the maximum number of incoming connections
net.core.somaxconn=65535
# the % of system memory fillable with "dirty" pages before flushing
vm.dirty_background_ratio=40
# maximum % of dirty system memory before committing everything
vm.dirty_ratio=80
5
. However, if your host communicates with other systems over a low-quality network, this low of a setting may be detrimental to those communications. To set this value, add the following to /etc/sysctl.conf
:# maximum number of TCP retransmissions
net.ipv4.tcp_retries2=5
/etc/security/limits.d/limits.conf
containing:# the maximum number of open file handles
* soft nofile 65535
* hard nofile 65535
# do not limit the size of memory that can be locked
* soft memlock unlimited
* hard memlock unlimited
OR the file /etc/systemd/system.conf.d/limits.conf
containing:
[Manager]
# the maximum number of open file handles
DefaultLimitNOFILE=65535:65535
# do not limit the size of memory that can be locked
DefaultLimitMEMLOCK=infinity
/etc/rc.local
(replacing /dev/sda
with their disk block descriptor):# change disk read-adhead value (# of blocks)
blockdev --setra 512 /dev/sda
Change the I/O scheduler to deadline
or noop
. Again, this can be done in a variety of ways. The simplest is to add elevator=deadline
to the arguments in GRUB_CMDLINE_LINUX
in /etc/default/grub
, then running sudo update-grub
.
Enable cgroup accounting for memory and swap space. This can be done by adding cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem
to the arguments in GRUB_CMDLINE_LINUX
in /etc/default/grub
, then running sudo update-grub
.
If you are planning on using very large data sets, consider formatting the drive containing the opensearch
volume as XFS.
After making allthese changes, do a reboot for good measure!
See Docker vs. Podman.